Windows Analysis Report
QFDXInkpM8.exe

Overview

General Information

Sample name: QFDXInkpM8.exe
renamed because original name is a hash value
Original sample name: 24e4567788c4a9442e2505d02b1c9324f1c95a454a819655de99ddb6eaf083cf.exe
Analysis ID: 1466136
MD5: f993a688264ec59724aa279e0b93e42c
SHA1: cbeb5d5042026ab23a40e48511099e7006f76e0d
SHA256: 24e4567788c4a9442e2505d02b1c9324f1c95a454a819655de99ddb6eaf083cf
Tags: exe
Infos:

Detection

Amadey
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Amadeys stealer DLL
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
PE file contains section with special chars
Contains functionality to query CPU information (cpuid)
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file does not import any functions
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

AV Detection
barindex
Found malware configuration
Source: QFDXInkpM8.exe Malware Configuration Extractor: Amadey {"C2 url": "77.91.77.81/Kiru9gu/index.php", "Version": "4.30"}
Multi AV Scanner detection for submitted file
Source: QFDXInkpM8.exe ReversingLabs: Detection: 37%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 94.4% probability
Machine Learning detection for sample
Source: QFDXInkpM8.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: QFDXInkpM8.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 77.91.77.81
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 77.91.77.81 77.91.77.81
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU

System Summary
barindex
PE file contains section with special chars
Source: QFDXInkpM8.exe Static PE information: section name:
Source: QFDXInkpM8.exe Static PE information: section name: .idata
Source: QFDXInkpM8.exe Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\QFDXInkpM8.exe Code function: 0_2_002E60A2 0_2_002E60A2
Source: C:\Users\user\Desktop\QFDXInkpM8.exe Code function: 0_2_002C9910 0_2_002C9910
Source: C:\Users\user\Desktop\QFDXInkpM8.exe Code function: 0_2_002C4AD0 0_2_002C4AD0
Source: C:\Users\user\Desktop\QFDXInkpM8.exe Code function: 0_2_002C4CD0 0_2_002C4CD0
Source: C:\Users\user\Desktop\QFDXInkpM8.exe Code function: 0_2_002E0D23 0_2_002E0D23
Source: C:\Users\user\Desktop\QFDXInkpM8.exe Code function: 0_2_002E3D01 0_2_002E3D01
Source: C:\Users\user\Desktop\QFDXInkpM8.exe Code function: 0_2_002E1512 0_2_002E1512
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\QFDXInkpM8.exe Code function: String function: 002D7F00 appears 122 times
Source: C:\Users\user\Desktop\QFDXInkpM8.exe Code function: String function: 002DD852 appears 51 times
PE file does not import any functions
Source: QFDXInkpM8.exe Static PE information: No import functions for PE file found
Uses 32bit PE files
Source: QFDXInkpM8.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal80.troj.spyw.winEXE@1/0@0/1
Source: QFDXInkpM8.exe ReversingLabs: Detection: 37%
Source: QFDXInkpM8.exe Static file information: File size 4968448 > 1048576
Source: QFDXInkpM8.exe Static PE information: Raw size of fonvwcns is bigger than: 0x100000 < 0x19f800
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: QFDXInkpM8.exe Static PE information: real checksum: 0x1dcdea should be: 0x4bfe2d
PE file contains sections with non-standard names
Source: QFDXInkpM8.exe Static PE information: section name:
Source: QFDXInkpM8.exe Static PE information: section name: .idata
Source: QFDXInkpM8.exe Static PE information: section name:
Source: QFDXInkpM8.exe Static PE information: section name: fonvwcns
Source: QFDXInkpM8.exe Static PE information: section name: ijaqkjlo
Source: QFDXInkpM8.exe Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\QFDXInkpM8.exe Code function: 0_2_002DD82C push ecx; ret 0_2_002DD83F
Source: C:\Users\user\Desktop\QFDXInkpM8.exe Code function: 0_2_002D1314 push ecx; retn 0000h 0_2_002D1315
Source: C:\Users\user\Desktop\QFDXInkpM8.exe Code function: 0_2_002D064F push ss; iretd 0_2_002D0650
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\QFDXInkpM8.exe Code function: 0_2_002DDCA1 cpuid 0_2_002DDCA1

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: QFDXInkpM8.exe, type: SAMPLE
Source: Yara match File source: 0.2.QFDXInkpM8.exe.2c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.QFDXInkpM8.exe.2c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1686937008.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2931045095.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1466136 Sample: QFDXInkpM8.exe Startdate: 02/07/2024 Architecture: WINDOWS Score: 80 8 77.91.77.81 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 2->8 10 Found malware configuration 2->10 12 Multi AV Scanner detection for submitted file 2->12 14 Yara detected Amadeys stealer DLL 2->14 16 4 other signatures 2->16 6 QFDXInkpM8.exe 2->6         started        signatures3 process4
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
77.91.77.81
 unknown Russian Federation
42861 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU true